top | item 30504867

(no title)

anglinb | 4 years ago

I worked on the security team at GitHub, this was a long standing part of how git works. GitHub allows users to verify commits via GPG signatures to prove that they committed something but it doesn't work for proving a negative, that you did not commit something.

We got so many of these submissions which are clearly called out in the rules/scope, usually the people who don't read the rules don't find anything useful. ¯\_(ツ)_/¯

discuss

vgel|4 years ago

Obviously anyone can attach any email to any commit, but why does the frontend UI work like this:

    gh_profile = get_profile_with_email(commit_email)

and not this?

    gh_profile = get_profile_with_email(commit_email)
    if not gh_profile.has_verified_email_ownership(commit_email):
      return null